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Abstract: Properly locating sensor nodes is an important building block for a large subset 
of wireless sensor networks (WSN) applications. As a result, the performance of the WSN 
degrades significantly when misbehaving nodes report false location and distance informa- 
tion in order to fake their actual location. In this paper we propose a general distributed 
deterministic protocol for accurate identification of faking sensors in a WSN. Our scheme 
does not rely on a subset of trusted nodes that are not allowed to misbehave and are known 
to every node in the network. Thus, any subset of nodes is allowed to try faking its position. 
As in previous approaches, our protocol is based on distance evaluation techniques developed 
for WSN. 

On the positive side, we show that when the received signal strength (RSS) technique 
is used, our protocol handles at most [^J — 2 faking sensors. Also, when the time of flight 
(ToF) technique is used, our protocol manages at most [§J — 3 misbehaving sensors. On 
the negative side, we prove that no deterministic protocol can identify faking sensors if their 
number is f-^] — 1. Thus our scheme is almost optimal with respect to the number of faking 
sensors. 

We discuss application of our technique in the trusted sensor model. More precisely our 
results can be used to minimize the number of trusted sensors that are needed to defeat 
faking ones. 

Key-words: Wireless Sensor Network, Secure Positioning, Distributed Protocol, Faking 
Sensor. 
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Localisation deterministe et securisee dans les reseaux 

de capteurs 

Resume : Localiser correctement des capteurs autonomes est une brique de base impor- 

tantc pour un grand nombrc d'applications dans Ics rcscaux dc capteurs (WSN). En cfFct, 
I'efficacite du WSN est significativement degradee quand des noeuds malicieux rapportent 
de fausses positions et de fausses informations de distance de maniere a simuler une locali- 
sation fictivc. Dans cct article, nous proposons une solution algoritlimique distribuce pour 
I'identification exacte des capteurs malicieux dans un WSN. Notre approche n'est pas basee 
sur I'utilisation d'un sous-ensemble de noeuds "de confiance" qui serait connu de chaque autre 
noeud du WSN. Ainsi, tout sous-cnscmblc des participants pent essaycr dc trichcr sur sa po- 
sition. Comme dans les approches precedentes, notre protocole est base sur des techniques 
d'evaluation des distances developpees pour les WSN. 

Nous montrons que quand la technique de la force du signal recu (RSS) est utilisee, 
notre protocole peut tolerer au plus [^^J — 2 noeuds malicieux. De plus, quand la technique 
du temps de vol (ToF) est utilisee, notre protocole peut gerer au plus [f J ~ 3 tricheurs. 
Nous montrons cgalement qu'il est impossible pour un protocole deterministe d'identificr 
les noeuds malicieux si leur nombre est au moins egal a [|-] — 1, ce qui rend notre resultat 
presque optimal en ce qui concerne le nombre de noeuds malicieux toleres. 

Nous discutons I'application dc notre technique au modcle oh il existe des noeuds de 
confiance. Plus precisement, nos resultats peuvent etre utilises pour minimiser le nombre de 
noeuds de confiance necessaires a la detection sans faille des noeuds malicieux. 

Mots-cles : Reseaux de capteurs sans fil, localisation securisee, algorithme distribue, 
capteurs malicieux. 
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Chapter 1 



Introduction 



Properly locating sensor nodes is an important building block for a large subset of wireless 
sensor networks (WSN) applications. For example, environment and habitat monitoring [20j . 
surveillance and tracking for military lOj or civilian purpose, both require the knowledge 
of the location where a particular event takes place. Location of nodes in a WSN can also 
be used for location based routing algorithms (such as geographic routing [2]), or location 
based services. 

Most of existing position verification protocols rely on distance evaluation techniques 
{e.g. [nisi [mm US [12]). Received signal strength (RSS) X and time of flight (ToF) [S] 
techniques are relatively easy to implement yet very precise (one or two meters). In the RSS 
technique, receiving sensor estimates the distance of the sender on the basis of sending and 
receiving signal strengths. In the ToF technique, sensor estimates distance based on mes- 
sage delay and radio signal propagation time. Position verification using the aforementioned 
distance estimation techniques is relatively straighforward provided that all sensors coop- 
erate. However, this task becomes challenging in the presence of misbehaving nodes that 
are allowed to report false position and distance information in order to fake their actual 
position. In the following such nodes are denoted as faking or cheating nodes. 

Such misbehaviors could occur due to several factors: a sensor may malfunction due 
to improper sensor deployment, partial communication problem due objects in the vicinity, 
or inaccurate position (coordinates) estimation. We consider that misbehaving sensors are 
unaware that they are malfunctioning, so locally they properly execute the protocol that is 
given to all nodes. Nevertheless, they can report incorrect position, change signal strength 
(when the RSS technique is used), or report incorrect transmission time (when the ToF 
technique is used). 
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1.1 Related Work 

Most methods [31 21 [ini [H] existing in the Uterature that use distance estimation techniques 
to detect and filter out faking nodes are based on the availability of a few fixed trusted entities 
(or verifiers), that are equipped with GPS. We refer to this model as the trusted sensor (or 
TS) model. In this model, the faking nodes may use attacks not available to regular nodes, 
such as radio signal jamming or using directional antenas, that permit to implement e.g. 
wormhole attack [12| and Sybil attack [8]. Lazos and Poovendran [15] present a secure 
range-independent localization scheme, where each sensor computes its position based on 
received beacons messages from locators. Sensors compute the center of gravity of beacons's 
intersection region, and the computed location becomes the estimated location of the sensor. 
Probabilistic analysis of the protocol demonstrate that it is resilient to wormhole and Sybil 
attacks, with high probability. Lazos et al. |16| further refine this scheme with multilateration 
to reduce the number of required locator, while maintaining probabilistic guarantees. The 
protocol of Capkun and Hubaux [i] relies on a distance bounding technique proposed by 
Brands and Chaum [2\ . Each sensor v measures its distance to a (potential) faking sensor u 
based on its message round-trip delay and radio signal propagation time, thus enabling the 
faking node u only to enlarge the distance to v. Then, if the faking node is located inside the 
triangle formed by verifiers and its faked position is also located within the triangle, then 
at least one of the three verifiers detects an inconsistency. Capkun, Cagalj, Srivastava [3] is 
supported by powerful verifiers, that know their positions and communicate with some wired 
channels that prevent faking nodes to locate them or to listen their transmissions. Then, each 
verifier v measures the arrival time ty of the (potential) faking node transmission. Verifiers 
exchange all such arrival times and check consistency of the declared position. However, the 
TS model presents several drawback in WSNs: first the network can not self-organize in an 
entirely distributed manner, and second the trusted nodes have to be checked regularly and 
manually to actually remain trusted. 

Relaxing the assumption of trusted nodes makes the problem more challenging, and to 
our knowledge, has only been investigated very recently [13]. We call this model where 
no trusted node preexists the no trusted sensor (or NTS) model. The approach of [13] is 
randomized and consists of two phases: distance measurement and filtering. In the distance 
measurement phase, sensors measure their distances to their neighbors, faking sensors being 
allowed to corrupt the distance measure technique. In the filtering phase each correct sensor 
randomly picks up 2 so-called pivot sensors. Next each sensor v uses trilateration with 
respect to the chosen pivot sensors to compute the location of its neighbor u. If there is a 
match between the announced location and the computed location, the (w, v) link is added 
to the network, otherwise it is discarded. Of course, the chosen pivot sensors could be faking 
and lying, so the protocol may only give probabilistic guarantee. 

In this paper we present a deterministic protocol that performs in the NTS model and 
where every correct {i.e. non faking) node: (i) identifies the positions (coordinates) of all 
correct nodes, and (ii) identifies the faking nodes (if any). The goal of the faking nodes is 
to convince the correct nodes that they are located in a fake position. 
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1.2 Our results 

The main contribution of this paper is a secure deterministic positioning protocol, FindMap, 
in the NTS model. To the best of our knowledge, it is the first deterministic protocol for this 
problem in the NTS model. The basic version of the protocol assumes that faking sensors 
are not able to mislead distance evaluation techniques. Then, our protocol correctly filters 
out faking sensors provided they are at most [^] — 2. Conversely, we show evidence that it 
in the same setting, it is impossible to deterministically solve the problem when the number 
of faking sensors is at least [^] — 1. We then extend the protocol do deal with faking sensors 
that are also allowed to corrupt the distance measure technique (RSS or ToF). In the case 
of RSS, our protocol tolerates at most [^J — 2 faking sensors (provided that no four sensors 
are located on the same circle and no three sensors are co- linear). In the case of ToF, our 
protocol may handle up to [^J — 3 faking sensors (provided that no six sensors are located 
on the same hyperbola and no three sensors are co- linear). 

Our results have significant impact on secure positioning in the TS model as well. The 
TS protocol presented by Capkun et al. [3] relies on set of hidden stations, that detect 
inconsistencies between measured distance and distance computed from claimed coordinates, 
using ToF-like technique to estimate the distance. Our detailed analysis shows that six 
hidden stations (verifiers) are sufficient to detect inconsistency in the same setting. In [3], 
the authors conjecture that the ToF-like technique could be replaced with RSS technique. 
Our results anwser positively to the open question of [5] , improving the number of needed 
stations to four. So, in the TS model, our results can be used to efficiently deploy a minimal 
number trusted stations. 
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Chapter 2 



Technical preliminaries 



We assume that every node is able to communicate to every other node in the WSN. The size 
of the WSN is n and is known to every node. Each node is also aware of its own geographic 
coordinates, and those coordinates are used to identify nodes. The WSN is partially syn- 
chronous: every node operates in rounds. In one round, every node is able to send exactly 
one message to every other node wihout collision occuring. For each transmission, a correct 
nodes uses the same transmission power Ss- 

Faking nodes are allowed to transmit incorrect coordinates (and thus incorrect identifier) 
to the other nodes. In the basic protocol, faking nodes can not corrupt distance measure 
techniques, while in Section |4] we relax this assumption and allow faking sensors to change 
its radio transmitter power and send a related fake position to the correct nodes. In Section 
[5] a faking sensor also can report incorrect transmission time. Also, we assume that faking 
nodes may cooperate between themselves in an omniscient manner (i.e. without exchanging 
messages) in order to fool the correct nodes in the WSN. 

We assume that all distance estimation techniques are perfect with respect to precision. 
The distance computed by node v to node u based on a distance estimation technique is 
denoted by d(v,u). The distance computed by v to the node u using coordinates provided 
by u is denoted by d(v,u). A particular sensor v detects inconsistency on distance {i.e. 
position) of sensor u if d(v, u) ^ d{v, u). Our protocols rely on detecting and reporting such 
inconsistencies. 

In the remaining of the paper, we use three distance estimation techniques: 

1. In the received signal strength (RSS) technique we assume that each node can precisely 
measure the distance to the transmitting node from RSS by Frii's transmission equation 



[^[T7j: 




(2.1) 
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Where 5*8 is the transmission power of the sender, Sr is the remaining power or receive 
signal strength (RSS) of the wave at receiver, A is wave length and d is distance between 
sender and receiver. 

2. The synchronous time of flight (SToF) technique relies on propagation time of the 
radio signal. For this technique we assume that sensors are synchronized by global 
time. Sender u attaches the time of transmission, t^ to the message. The receiver 
V records the message arrival time tr of the message. Next v computes the distance 
rf = < * s of u based on time delay t = tr — t^ of the message and radio signal speed s. 

3. The different arrival time (DAT) technique provides similar guarantees as SToF. The 
advantage of DAT over SToF is that DAT does not require synchronization. In the 
DAT technique each sensor transmits its message with two types of signals that differ 
on propagation speed e.g. radio signal (RF) and ultra sound signal (US). Sender 
sensor u transmits its message with RF and US signal simultaneously. Receiver sensor 
V, which estimates its distance to sender u, records arrival time t^ of RF signal and 
arrival time t„ of US signal from u. Then, based on the propagation speed Sr of RF, 
propagation speed s„ of US and difference of arrival times t — t^ — sensor v can 
compute distance to sensor u. Equation 12.21 show the relation. 




(2.2) 
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Chapter 3 



Basic Protocol 



In this section we present the protocol FindMap, that essentially performs by majority 
voting. The protocol detects all faking sensors provided that n — 2 — f > f. Thus the 
total number of faking sensors is at most \^~\ — 2. In this section we consider the relatively 
simpler case where faking sensors are not able to cheat the distance estimation techniques 
(see above) that are used by the correct nodes. Our second key assumption is that no three 
correct sensors are co-linear. This assumption allows to formulate the following fact. 

Fact 1 If a faking sensor transmits a message with a fake position then at least one of three 
correct sensors can detect an inconsistency (see Figure\3A^. 

Based on Fact [l] we can develop FindMap (threshold). The protocol operates in two 
rounds. The protocol is paremeterized by a threshold parameter. In Round 1 all sensors 
exchange their coordinates by transmitting an initial message. Next each node v computes 
the distances d{v, u) (from the distance estimation technique) and d{v, u) (from the obtained 
node coordinates) of u and compare them. If d{v,u) ^ d(v,u) then v accuses u to fake its 




Figure 3.1: Example in which sensor F consistently fakes its location to F' against sensors 
Pi and P2- However the third sensor P3 always detects an inconsistency since no three 
correct sensors are co-linear. 
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position. Otherwise v does not accuse u. To keep record of its accusations, each node 
V maintain an array accusv of size n. In Round 2 each node v exchanges its array of 
accusations. Next each node v counts accusations toward every other node u including 
its own accusations. A sensor v detects a sensor u as faking if the number of accusations 
is at least equal to the threshold parameter. For our basic FindMap protocol we use 
threshold = Lf J ■ 

Protocol Fin6MsLp(threshold = [|J) 

Round 1: 

1. V exchange coordinates by transmiting init^ and receiving ti — 1 messages. 

2. for each received message initu'. 

3. compute d{v,u) and d(v,u) using the coordinates of u. 

4. if {d{v, u) ^ d{v, u)) then accusy[u\ <— true 

5. else accusy[u] ^ false 
Round 2: 

6. V exchange accusations by transmiting accusy and receiving n — 1 accusations. 

7. for each received accusu- 

8. for r — I to n 

9. if accuSu[r] = true then NumAccuSr+ = 1 

10. for each sensor u: 

11. if (threshold < NumAccuSu) then v considers u is faking. 

Theorem 1 Protocol FindMap( [-^J ) identifies all the faking sensors and finds the position 
of correct sensors provided n — f — 2 > f . 

Proof: First we will show that each faking sensors will be accused by proper number 
of correct sensors. In each subset of three correct sensors there exists at least one which 
detects inconsistency on distance to a faking sensors. This is guaranteed by fact[T] Thus each 
faking sensors will be accused by at least n — f — 2 correct sensors. Inequality n — / — 2 > / 
guarantees that number of correct sensors is at least [^J . We can also observe that each 
correct sensors can be accused by at most \^~\ — 2 faking sensors. However this is not enough 
to find a correct sensors faking. □ 

Next we show that it is impossible to detect the real location of correct sensors and filter 
out the faking one when n — 2 — f < f . The assumption that faking sensors cannot corrupt 
the distance ranging technique makes this result even stronger. Our protocol is synchronous 
but this impossibility result holds for asynchronous settings too. 

Theorem 2 Ifn~f — 2<f then the real location of the correct sensors cannot be detected 
by a deterministic protocol. 

Proof: Let us assume that correct sensors run a protocol V, which allows to detect 
location of correct sensors and identify the faking sensors even when n — f — 2 = f. In case 
n — / — 2</wc make some faking sensors correct to achieve equality and in case n is odd 
one of the faking sensors will remain silent. Let us consider the first execution (see figure 
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; C - virtual correct nodes 



r '-virtual faldng nodes 



C - correct nodes 



r - falting nodes 



Figure 3.2: First execution. 



13. 2p . There are two correct sensors v and u located on the straight hne I. There are two 
sets of sensors C-correct sensors and F-faking sensors located on the lower half of the plane. 
The sizes of the sets are equal |C| = |F| — f. The sensors in F are trying to convince sensors 

V and u that they are located in F' on the other side of the straight line I symmetrically. 
Each sensor in F behave as if it was a correct sensor reflected symmetrically against straight 
line I. The sensors in F' are called virtual faking sensors. Virtual sensors in F' execute 
the protocol as if sensors in C were faking and their correct location was in C", which is 
symmetric reflection of C against straight line /. Construction of the second execution will 
clarify why we need such behavior of sensors in F'. We can see that sensors v and u are not 
able to detect inconsistency directly on the distance of virtual faking sensors since symmetry 
preserves their distances from v and u. By our assumption about correctness of the protocol 

V sensors v and u are able to verify that sensors in F' are faking. 





r '-virtual faking nodes \ ; C- virtual correct nodes 



Figure 3.3: Second execution. 



Now let us consider the second execution (see figure [3731) . In the second execution sensors 
in C and F' are swapped. Thus sensors in F has to be located on the other side of straight 
line I symmetrically. Now virtual faking sensors in F' can imitate the first execution of the 
correct sensors in C. Correct sensors in C behave like virtual sensors in F' in first execution. 
This is because the virtual sensors in F' in the first execution behaved like correct sensors 
and additionally they claimed that sensors from C were located in C" (see figure [373]) . Now F 
is really located in the previous location of C and the sensors in C are correct. Thus sensors 
V and u are not able to distinguish between the first and the second execution. Sensors v 
and u will have to decide that C is set of faking sensors. This is because v and u have made 
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such decision in first execution and v and u is not able to distinguish between these two 
executions. □ 
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Chapter 4 

Protocol based on RSS ranging 
technique 

In this section, we consider that sensors use RSS technique to measure distance. We are 
assuming that each correct sensor has a fixed common transmission signal strength of Sg- 
The faking sensors can change their transmission signal strength and send suitable fake 
position to other sensors. Let F be a faking sensor that changes its signal strength Sg 
and sends a suitable fake position F' to other correct sensors. Sensor v can estimate the 
distance, d from the receive signal strength (RSS) by Frii's transmission equation assuming 
the common signal strength Sg has been used, according to the assumption in section [2l 

where c = (^)^, Sr = c^, and d is the distance from v to the actual position of F. 

We show that Protocol FindMap( [^] — 1) can be adapted to this model provided that 
n—3—f>f,i.e. the total number of faking sensors is at most — 2 and no four correct 
sensors are located on a particular circle. In this variant of the protocol, a sensor v considers 
sensor u faking if the number of accusations messages for u is at least [^] — 1. 

Lemma 1 Let F be a faking sensor, and Pi and P2 be two correct sensors. There exists a 
position (xf,yf) for F such that F is always able to fake a position F' — [x'j, y'^) to both Pi 
and P2, with Xf^x'p and yf^y'j by changing its signal strength from S to S' . 

Proof: The faking sensor, F changes its signal strength from Sg to Sg and sends a corre- 
sponding fake position [x'^^y'j) to Pi and P2 such that 

di = -jfrfi^ and — ■7^d2^ 
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Figure 4.1: An example showing a faking sensor F can supply its suitable false position F' 
to correct sensors Pi and P2 by changing its signal strength. 



Where di and ^2 a-re the estimated distances measured by Pi and P2 respectively from the 
RSS of F and {x'j, y'j) is the point of intersection of the two circles centering at Pi and P2 

with radius c?i and ^2 respectively according to the figure 14.11 di and ^2 are the distances 
from the actual position {xf,yf) oi F to Pi and P2 respectively 

Then Pi and P2 can not able to detect the inconsistency of the fake position (xj, y'^) of 
F such that Xf ^ x'^ and yj ^ y'j. □ 

Lemma 2 Let F be a faking sensor, and Pi and P2 be two correct sensors. There exists a 
position (xf,yf) for F such that F can always choose a fake position F' — {x'f, y'^) for both 
Pi and P2, with Xf ^ x'p and yf^y'j by changing its signal strength. Then the possible 
fake locations for F' are placed on a circular arc. 

Proof: From lemma [J we know that ^ = 7(^|f^ and ^ = 7(^|f^ that is ^ = ^ 

or ^ — ^ implies — S where S ^ ^ ~ constant, for a pair of sensors Pi and P2. 

If {xi^yi) and (a;2, 2/2) are the coordinates of Pi and P2 then the possible location of the 

{x - xif {y - yif 



{x - X2Y + {y- y2Y 
^ X +y - A y jx- z jy+ jrp 

Which is an equation of circle, where 6 = ^^Ltl^^ ^^L - 

^ ' V (xf-x2)' + (yf-y2)' 

Now we have to prove that y'j) can lay only on F1FF2 part of circular arc as shown 



= 



in figure 14.21 Where Fi and F2 are the point of intersection of two circle of transmission 
range centering at Pi and P2 such that at least one of the circles is its maximum transmission 
range. 

We can prove this by contradiction. Suppose, {x'^.y'^) laying on the counterpart of the 
circular arc F1FF2. Then it is not possible by F to pretend its fake position to Pi and P2 
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Figure 4.2: An example showing possible locations {F1FF2) of the fake position {x'j,y'j) 
than can be supplied by faking sensor F for a pair correct sensors Pi and P2 by changing 
its signal strength. 



simultaneously. Since counterpart of the circular arc F1FF2 does not belong to the common 
transmission of Pi and P2, hence proved. □ 

Lemma 3 Let F be a faking sensor, and Pi, P2, P3 be three correct sensors on a circle. 
There exists a position {xf,yf) for F and positions {xi,yi), {x2,y2) and (x^^y^) such that 
F is always able to fake a position F' = {x'^y'^) to Pi, P2 and P3 such that Xf x'p and 

Vf + y'f 

Proof: From Lemma [T] and O faking sensor F = {xf, y/) can fake its position F' ~ {x'f,y'f) 




Figure 4.3: An example showing a faking sensor F can lie about its position by changing 
signal strength to three correct sensors. 
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to two correct sensors Pi, P2 by changing its signal strength from Ss to S'^ such that 
PiF' : PiF ^ A and P2F' : P2F = A where A = V|f and PiF' = di, PiF = di, P2F' = da, 
P2F = d2. 

We have to prove that there exist a sensor P3 with coordinates (0:3, j/s) such that P3 
can not able to detect the inconsistency of fake position {x'^y'^), i.e., P3 has to locate at 
a position like Pi and P2 such that P3F' : P3F = A as shown in figure 14.31 Therefore 
FF' : F'Pj, = (1 — A) : A Therefore {x^,y^) — { ^\^x' ' ^\-\' \ From geometry we know 
that only one circle pass through three fix points, hence proved. □ 

Lemma 4 Let F be a faking sensor, and Pi, P2 be correct sensors. There exists a position 
{xf,yf) for F and positions (xi,yi), {x2,y2) such that F is always able to fake a position 
F' = {x'j,y'j) to Pi and P2 such that Xf ^ x'p and yj ^ y'^. Then F also can fake the 
position {x'j,y'f) to more Pi 's if and only if they lay on a particular circle. 

Proof: Lemma [5] implies that faking sensor F can fix a fake position F' on the circular 
arc F1FF2 with a suitable changed signal strength (S") such that Pi and P2 can not able to 
detect the inconsistency as shown in figure 14.41 




Figure 4.4: An example showing a faking sensor F can lie about its position by changing 
signal strength to multiple number of correct sensors which are laying on a particular circle. 

Let P is a variable point such that it keeps the same ratio {— ^) like Pi and P2 
with F and F' . Then P also can not able to detect the inconsistency of the fake position 
F'. If dp is the distance between P and F' and dp is the distance between P and F then 

dp 

Therefore the possible location of the point P is ^'^l-iW^ ~ A^ 
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This is an equation of circle with respect to the given fake position F' of F and Pi and 
P2 as shown in figure Therefore, F pretends the fake position F' to the sensors which 
are laying only on the particular circle. □ 

Theorem 3 Let F be a faking sensor, and Pi, P2, P3 be three correct sensors on a circle. 
If there exist a sensor P4 which does not lay on the same circle, P4 is able to detect the 
inconsistency of F. 

Proof: From lemma |3] faking sensor F can convey the fake position F' to Pi, P2, P3, 
provided circles with radius di = Ac?i, d2 — \d2, and da — Xd^ centering at Pi, Pi, and Pi 
respectively intersect at F', where A = ^f- 



Figure 4.5: An example showing a that if four sensors Pi, P2, P3, P4 do not lay in a particular 
circle then faking sensor F can be detected by sensor P4 which is not laying on the circle. 



As P4 not on the circle then ^4 7^ Xd4 as in figure [1751 implies ^4 7^ d{P4,F'), where 
c?(P4, F') is the distance from P4 to F' calculated from coordinates of F' . Hence P4 can able 
to detect the inconsistency of faking node F. □ 

Corollary 1 The protocol FindMap( [^] — 1) identifies all faking sensors in the model 
where faking sensors can corrupt RSS ranging technique, provided that n — / — 3 > / and 
no four sensors are located on the same circle and no three sensors are co-linear. 

Proof: Let us consider a faking sensor P, which fakes its transmission power. Theorem 
[3] guarantees that in each set of four correct sensors there exists a sensor, which detects 
inconsistency on distance to P. Thus each faking sensor will be accused by at least n — / — 3 
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correct sensors. By inequality n ~ f — 3 > f the number of correct sensors that accuse F 
is at least [^] — 1 and the number of faking sensors is at most [^J — 2. Thus each faking 
sensor will be found faking and no correct sensor will be found faking. If faking node F does 
not change its transmission power but only lies about its position then at least one on three 
no-linear correct sensors will detect inconsistency. □ 
Theorem [3] can be also applied in the protocol for the model of trusted sensors. In the 
protocol presented in [3], we can use theorem [3] to find deployment of the minimum number 
of hidden stations required to detect faking nodes. 

Corollary 2 // the four hidden stations are not located on the same circle and no three 
stations are co-linear then one of the stations will always detect a faking node. 

Corollary [2] remains true provided the faking node's transmission reaches all hidden 
stations and it is not allowed to use directional antennas. Since the verifiers are hidden to 
the faking node in the model of [3j, the latter has very low chances to consistently fake its 
position even with directional antennas. 
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Chapter 5 

Protocol based on ToF-like 
ranging techniques 

In this chapter, we first discuss how faking sensors can corrupt the two SToF and DAT 
ranging techniques: 

1. In case the SToF ranging technique is used by Sensor u, u first transmits a message 
attaching the time of transmission tg into the message. Sensor v. which receives the 
message from sensor u at time tr , estimates the distance based on delay t = tr — ts and 
radio signal propagation speed Sr, d{v, u) = Srt. So, it is possible that a faking sensor 
can prevent sensor v from computing the real distance by faking the transmission time 

ts- 

2. In case the DAT ranging technique is used. Sensor u transmits each message simulta- 
neously with two signals {e.g. RF and US signals). Sensor v then records the difference 
of arrival time t between RF signal and US signal. This can be done using only a local 
clock at V. Thus no global time is required. Then, Sensor v computes distance d{v,u) 
based on t, propagation speed Sr of RF signal and propagation speed s„ of US sig- 
nal. In this case, a faking sensor may prevent a correct sensor v from computing real 
distance by delaying one of the two simultaneous transmissions. 

Now we show that corrupting SToF and DAT ranging technique has the same affect on 
correct sensors. 

Lemma 5 // the ranging is evaluated with SToF technique and faking sensor F shifts real 
transmission time then all correct sensors compute the real distance to sensor F increased 
or decreased by the same length b. 

Proof: Let us assume that faked sensor F shifts its real transmission time by t' . Then 
all the correct sensors will compute the distance modified by 6 = Srt', where is the radio 
signal propagation speed. □ 
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Lemma 6 // the ranging is evaluated with DAT technique and faking sensor F introduces 
shift i' 7^ between the RF and US transmissions, then all correct sensors compute the real 
distance to the sensor F increased or decreased by the same length b. 

Proof: Since the faking sensor shifts the two transmissions by time t' then the difference 
in arrivals time of the signals will he t + t' where t is original difference for t' = 0. Each 
correct sensor will compute d based on the following equation. 



S^ Su 

Thus the real distance will be modified by 



1/Sr ~ 1/Su 

in all correct sensors. □ 
Since the corruption on SToF and DAT has the same result we can formulate the following 
theorem for both ranging techniques. 

Theorem 4 // the distance evaluation is done with SToF or DAT techniques and no six 
sensors are located on the same hyperbola and no three sensors are co-linear, then at least 
one of six correct sensors detects inconsistency in faked transmission. 

Proof: 

Let us assume that faking sensor F enlarges its distance against the correct sensors by 
b. The case when sensor reduces its distance is symmetric. By lemma [5] and [6] there are 
at most two faked locations F' and F" for faking sensor F, which guarantee consistency 
against sensors Pi and P2 (see figure ISTTj) . Let us assume that sensor F decides for faked 
location F' . 

Now we will find the set of correct sensors, which will not detect the inconsistency. We 
consider two cases: 

1. The first case is when distance c between F' and F is strictly larger than b (see figure 
15. 2p . Each correct sensors P, which cannot detect inconsistency on distance to F, has 
to meet d{P, F) — d{P, F). The condition d{P, F) — d{P, F) can be transformed into 
the distances on the plane \F'P\ = \FP\ + b. Based on this condition we can came up 
with system of equations for sensors in 5 = {P : d{P, F) = d{P, F)}. 



X +y 

„2 , /„, „\2 



x^ + {y- cY = (z + by 



(5.1) 
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Figure 5.1: Figure shows that sensor F can change its position to F' and consistently He 
against sensor P3 which is located in the middle of segment FB. Length of segment F'B is 
b. 



Figure 5.2: We assume that \FF'\ > b. Figure shows set S of correct sensors located on the 
hyperbola, which cannot detect inconsistency. That is for each correct sensor P located on 
the hyperbola the distance \F'P\ is equal to |FP| + b 
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Where \FP\ = z, x,y are the coordinates of correct sensor P £ S. We assume that 
F = (0, 0) and F' — (0, c). Next we can find the equation of the hyperbola. 



4(c2 





x^ + {y- cf 




-y2 + 






= x^+y"^ 


+ 26a 




{-2yc + c^ ~b^ f 


^ Ab^{x^ 


+ y') 


Ay^c^ - 


- 4yc(c2 - + (c2 - 62)2 


= 462(x2 


+ y') 


Ayc{c^ 


- 62) + (c2 - 62)2 _ 4^2^2 


= 462 ^2 






-4c(c2-62)y+(c2-62)2 


= 462a;2 






~62)(42/2-4c?/ + c2-62) 


= 462a;2 






(c2-62)((2y-c)2_62) 


= 462a;2 






62)(22/-c)2-62(c2-62) 


= 462a;2 






(c2-62)(2j/-c)2 - 462x2 


= 62(c2- 


62) 




(c2-62)(2y-c)2 - 462^2 


= 62(c2- 


62) 



y2 



The five sensors uniquely determine the hyperbola. Thus the sixth sensor, which is 
not located on the hyperbola by our assumption, will detect inconsistency. 



2. The second case is when distance c between F' and F is at most 6 (see figure [573)) . 
We will show that Pi or P2 will have to detect inconsistency. The distance measured 
using coordinates by for i = 1,2 has to be exactly \FPi \ + 6 to prevent sensor Pi 
from detecting inconsistency. By triangle inequality we have \F'F\ + \FPi\ > \F'Pi\ 
for i = 1,2. Thus the distance |P'Pi| measured by Pi with a ranging technique is at 
most \FPi \ + b. Sensor for i = 1, 2 will measure required distance when sensors F', 
F and Pi are co-linear. This will happen for at most one sensor. This is because we 
assume that no three sensors are co-linear. 

□ 

Theorem 0] allows us to modify the protocol FindMap so that it works in the model in 
which faking sensors can corrupt the SToF or DAT ranging technique. 

Corollary 3 The protocol FindMap([^] — 2) identifies all faking sensors, in the model 
where faking sensors can corrupt SToF or DAT ranging techniques, provided n — f — 5 > f 
and no six sensors are located on the same hyperbola and no three sensors are co-linear. 

Proof: Let us consider a faking sensor F. Theorem |4] guarantees that in each set of six 
correct sensors there exists a sensor which detects inconsistency on distance to F. Thus each 
faking sensor will be accused by at least correct n — f — 5 sensors. By inequality n — f — b > f 
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F' 

I f 

/ /' F 

^: \ 

p. Pi 

Figure 5.3: We assume FF' < b Figure shows that faking sensor F cannot change its position 
to F' consistently against sensors Pi and P2. That is F'Pi < \FPi\ + & or F'P2 < IFP2I + b 
allowing sensor Pi or P2 to detect inconsistency. 



the number of correct sensors that accuse F is at least \^~\ -— 2 and the number of faking 
sensors is at most [^J — 3. Thus each faking sensor will be find faking and no correct sensor 
will be found faking. □ 
Theorem 2] can be also applied in the protocol for the model of trusted sensors 3 . We 
can use theorem 2] to compute the deployment of the minimum number of hidden stations 
required to detect faking nodes. 

Corollary 4 // the six hidden stations are not located on the same hyperbola and no three 
stations are co-linear then one of the stations always detect a faking node. 

Corollary |4] is true provided the attacker's transmission reaches all the hidden stations 
and attacker is not allowed to use directional antennas. Since the verifiers are hidden to 
the faking node, the latter has very low chance to consistently fake its position even with 
directional antennas. 
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Chapter 6 



Concluding Remarks 



We proposed a secure positioning deterministic protocol for WSN that performs in the most 
general NTS model. Although the previous protocol of Hwang et al. [T3| is probabilistic 
(and thus, unlike ours, can not give certain results), it is interesting to see if the certainty 
of the result comes with a price (with respect to the number of exchanged messages to 
solve the problem). In [13] . each sensor announces one distance at a time in a round robin 
fashion (otherwise the faking node could hold its own announcement, collect all correct nodes 
informations, and send a consistent range claim), inducing n{n — 1) sent messages, an overall 
0{n^) message complexity. In our case, n coordinate messages are sent in round one, and 
n accusation messages are sent in round two, overall a 0{n) message complexity. However, 
from a information complexity point of view, the two approaches are equivalent, since the 
exchanged messages in our protocol can be n-sized (inducing information in both cases). 
To conclude, we would like to mention two interesting open questions: 

1. Our protocol makes some synchrony hypotheses to separate between rounds and filter 
faking nodes. It is worth investigating to determine the exact model assumptions that 
are necessary and sufficient to solve the same problem in the NTS model with respect 
to synchrony. 

2. Our network model assumes that correct nodes are within range of every other node. 
Extending our result to WSN with fixed ranges for every node is a challenging task, 
especially since previous results on networks facing intermittent failures and attacks [6l 
[7| I18| are written for rather stronger models {i.e. wired secure communications) than 
that of this paper. 
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